Tuesday, April 18, 2017

How would you react if I told you that computer security experts are six times more likely to run just an ad blocking software on their PCs, over just anti-malware? Would you be surprised?

That was the result from a Twitter poll I conducted last year, in which more than 1,000 self-identified computer security experts shared that they are more concerned about ads than malware. While social media polls are admittedly unscientific, I’d argue these numbers are actually pretty close to reality, which means that roughly three-out-of-four computer security experts largely view ad-blocking as a more indispensable part of protection than anti-virus software by far. Let that sink in for a moment.

I understand the business model… really, I do. Publishers rely on their viewers seeing ads because that’s how they make their money. In return they provide all of us with free content and services. If ads are blocked, publishers make less money, and the free content and services dries up. On the other hand, these same ads are one of the leading threats to personal security and privacy. So, what we have here is an online version of a Mexican standoff. Neither side is able to proceed without exposing themselves to danger.

So here we are without many technical options: the only thing internet users can do to protect themselves is to install an ad blocker (like hundreds of million of users have already done); and the only thing a publisher can do is to use an ad blocker detector on their website(s). This allows them to decide to block content and/or issue a plea to whitelist their ads. Unfortunately, the technology model for publishers to ‘safely’ include third-party content such as ads into their pages is also lacking. There just isn’t a comprehensive and scalable way to check billions of ads daily to see if they’re safe to distribute – or if the origin of an ad is reputable. Of course, publishers can also supplement or replace advertising revenue streams with a paid-for-content model, hosting conferences, asking for donations, and so on.

Let's also be very clear— neither the publisher, advertisers, or the ad-tech industry that binds everything together takes on any liability for malvertising, infecting a user with malware, or the resultant damage. This also means that they have zero incentives to meaningfully address the problem, and never ever seem to want to talk about the security concerns that make ad blocking an essential security practice. They only want to talk about the money their side is losing, or how to make ads more visually tolerable. But even if ads magically become less obnoxious and less costly in terms of bandwidth, we still have the security problem. Until the advertising technology industry admits that their product - the ads themselves - are simply dangerous, there can be no real resolution.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!